I was wondering how I can remove this rootkit from my computer. The file says MBR:\.\PHYSICALDRIVE0\PARTITION4 and the root kit name says MBR:SST. When I did a full scan with Avast it showed 4 infected files. I did the reboot scan and then scanned again with Avast but it is still there each time. Any suggestions? Thank you!

Hi if that report is correct then :

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application

https://dl.dropbox.com/u/73555776/tdss%20start.JPG

[*]Then click on Change parameters.

https://dl.dropbox.com/u/73555776/tdss%20Change%20param.JPG

[*]Check the boxes beside Verify Driver Digital Signature, Detect TDLFS file system and Use KSN to scan objects , then click OK.

[*]Click the Start Scan button.

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

https://dl.dropbox.com/u/73555776/tdss%20threat.JPG

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

[*]Get the report by selecting Reports

https://dl.dropbox.com/u/73555776/tdss%20report.JPG

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

Please attach its contents on your next reply.

Thank you for replying and your help. I downloaded TDSSKILLER but only came up with 3 objects that were suspicious and not malicious. It showed skip so I continued. Avast still shows the rootkit as 4 infected files. I had to copy only part of the report from TDSSKILLER because it wouldn’t let me post it saying the message exceeds the maximum allowed length.

This is the last part of it…

13:56:49.0822 0x0d18 Win FW state via NFP2: enabled ( trusted )
13:56:52.0377 0x0d18 ============================================================
13:56:52.0377 0x0d18 Scan finished
13:56:52.0377 0x0d18 ============================================================
13:56:52.0414 0x1060 Detected object count: 3
13:56:52.0414 0x1060 Actual detected object count: 3
13:59:24.0719 0x1060 SeagateDashboardService ( UnsignedFile.Multi.Generic ) - skipped by user
13:59:24.0720 0x1060 SeagateDashboardService ( UnsignedFile.Multi.Generic ) - User select action: Skip
13:59:24.0732 0x1060 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user
13:59:24.0732 0x1060 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip
13:59:24.0734 0x1060 Seagate Dashboard ( UnsignedFile.Multi.Generic ) - skipped by user
13:59:24.0734 0x1060 Seagate Dashboard ( UnsignedFile.Multi.Generic ) - User select action: Skip

Here is the beginning of the report:
13:52:15.0761 0x1620 TDSS rootkit removing tool 3.1.0.5 Jul 24 2015 12:29:57
13:52:33.0759 0x1620 ============================================================
13:52:33.0759 0x1620 Current date / time: 2015/10/01 13:52:33.0759
13:52:33.0759 0x1620 SystemInfo:
13:52:33.0760 0x1620
13:52:33.0760 0x1620 OS Version: 6.0.6002 ServicePack: 2.0
13:52:33.0760 0x1620 Product type: Workstation
13:52:33.0760 0x1620 ComputerName: TERI-PC
13:52:33.0766 0x1620 UserName: Lory
13:52:33.0766 0x1620 Windows directory: C:\Windows
13:52:33.0766 0x1620 System windows directory: C:\Windows
13:52:33.0766 0x1620 Running under WOW64
13:52:33.0766 0x1620 Processor architecture: Intel x64
13:52:33.0766 0x1620 Number of processors: 2
13:52:33.0766 0x1620 Page size: 0x1000
13:52:33.0766 0x1620 Boot type: Normal boot
13:52:33.0766 0x1620 ============================================================
13:52:41.0837 0x1620 KLMD registered as C:\Windows\system32\drivers\64491859.sys
13:52:46.0118 0x1620 System UUID: {9F9CD0EF-3F3C-46EF-1949-F02F769A991D}
13:52:55.0430 0x1620 Drive \Device\Harddisk0\DR0 - Size: 0x4A85D56000 ( 298.09 Gb ), SectorSize: 0x200, Cylinders: 0x9801, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type ‘K0’, Flags 0x00000040
13:52:55.0491 0x1620 ============================================================
13:52:55.0491 0x1620 \Device\Harddisk0\DR0:
13:52:55.0519 0x1620 MBR partitions:
13:52:55.0519 0x1620 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x23B9C800
13:52:55.0519 0x1620 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x23B9D000, BlocksNum 0x1890000
13:52:55.0519 0x1620 ============================================================
13:52:55.0697 0x1620 C: ↔ \Device\Harddisk0\DR0\Partition1
13:52:56.0111 0x1620 D: ↔ \Device\Harddisk0\DR0\Partition2
13:52:56.0111 0x1620 ============================================================
13:52:56.0111 0x1620 Initialize success
13:52:56.0111 0x1620 ============================================================
13:53:33.0106 0x0d18 ============================================================
13:53:33.0106 0x0d18 Scan started
13:53:33.0106 0x0d18 Mode: Manual; SigCheck; TDLFS;
13:53:33.0106 0x0d18 ============================================================
13:53:33.0106 0x0d18 KSN ping started
13:53:35.0773 0x0d18 KSN ping finished: true
13:53:37.0305 0x0d18 ================ Scan system memory ========================
13:53:37.0305 0x0d18 System memory - ok
13:53:37.0323 0x0d18 ================ Scan services =============================
13:53:37.0644 0x0d18 [ 10446646D128E580C46615338E74E672, D684A4857D1AB3D9208ABCD59707429CCB10399446CB0B87003CD6C8AEA0CC17 ] 70e6ca8c C:\Windows\system32\rundll32.exe
13:53:38.0285 0x0d18 70e6ca8c - ok
13:53:38.0469 0x0d18 [ 1965AAFFAB07E3FB03C77F81BEBA3547, 351A1EBB1B95C8E03ED125C8F997DEE810B4DF36AD290E7685FC01963B522BFC ] ACPI C:\Windows\system32\drivers\acpi.sys
13:53:38.0721 0x0d18 ACPI - ok
13:53:39.0035 0x0d18 [ C6D147C12C424373B016C0AB0A6C61EB, 043D44F3C942CFC3558E782938C26849BF648A58A7AA62C4A526E37DE4136C27 ] AdobeFlashPlayerUpdateSvc C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
13:53:39.0139 0x0d18 AdobeFlashPlayerUpdateSvc - ok
13:53:39.0241 0x0d18 [ F14215E37CF124104575073F782111D2, 7F624F7F0FE9909C07AB2E4C74727686FDA9DF33778A9CBBE35027D6579E4F71 ] adp94xx C:\Windows\system32\drivers\adp94xx.sys
13:53:39.0513 0x0d18 adp94xx - ok
13:53:39.0610 0x0d18 [ 7D05A75E3066861A6610F7EE04FF085C, 406F2CE539C306BA60C233FBCDB029153588F0499BBE91E66FC915E5C5D7D2A5 ] adpahci C:\Windows\system32\drivers\adpahci.sys
13:53:39.0795 0x0d18 adpahci - ok
13:53:39.0954 0x0d18 [ 820A201FE08A0C345B3BEDBC30E1A77C, 3170B308724CAA0AD50B74D045C837C48BD6A3A11ABA222670BEA82192A861BF ] adpu160m C:\Windows\system32\drivers\adpu160m.sys
13:53:40.0175 0x0d18 adpu160m - ok
13:53:40.0227 0x0d18 [ 9B4AB6854559DC168FBB4C24FC52E794, 83CD75DE0A16AE66586837565ECA8B98BA9309519139C4C2032474B8DDF5A1AD ] adpu320 C:\Windows\system32\drivers\adpu320.sys
13:53:40.0382 0x0d18 adpu320 - ok
13:53:40.0470 0x0d18 [ 0F421175574BFE0BF2F4D8E910A253BB, CEABE3A4F546EB6ACA079931AB532DC88FF757DEEF6F434991802220328A9CD6 ] AeLookupSvc C:\Windows\System32\aelupsvc.dll
13:53:40.0778 0x0d18 AeLookupSvc - ok
13:53:40.0902 0x0d18 [ E58A17E945593544C707423F9772EEA0, FC17AFF979354EB89DCA307BF07C52B84629AF540D4C6A32DD537695CA654205 ] AFD C:\Windows\system32\drivers\afd.sys
13:53:41.0236 0x0d18 AFD - ok
13:53:41.0291 0x0d18 [ F6F6793B7F17B550ECFDBD3B229173F7, 7EB12A9372B7966440E39F1B567A43C21231D67DDFAA9C1DECC7E68627F82346 ] agp440 C:\Windows\system32\drivers\agp440.sys
13:53:41.0387 0x0d18 agp440 - ok
13:53:41.0446 0x0d18 [ 222CB641B4B8A1D1126F8033F9FD6A00, 8C7FD4BF87DC00893B99E64344C0E6A3F321DAD9BE60A99763629260E7C6312C ] aic78xx C:\Windows\system32\drivers\djsvs.sys
13:53:41.0574 0x0d18 aic78xx - ok
13:53:41.0627 0x0d18 [ 5922F4F59B7868F3D74BBBBEB7B825A3, 71504BC8B596F540BF059059670BC0C138D8759C1DD9F99F1EC368FD5C53F573 ] ALG C:\Windows\System32\alg.exe
13:53:41.0985 0x0d18 ALG - ok
13:53:42.0083 0x0d18 [ E0CA5BB8E6C79533DC6B1DA7361A201E, 8AD71C49E520E0CD0A1B4F840DB77D373AD3A5F59B30B22FE0A1DF2043805168 ] aliide C:\Windows\system32\drivers\aliide.sys
13:53:42.0195 0x0d18 aliide - ok
13:53:42.0234 0x0d18 [ 7034F8D1B9703D711D3F92C95DEB377D, 5FD6F929226B81899DA57C0D40CCAB5B6D24FC913E3783236809B6110E8061B5 ] amdide C:\Windows\system32\drivers\amdide.sys
13:53:42.0367 0x0d18 amdide - ok
13:53:42.0468 0x0d18 [ CDC3632A3A5EA4DBB83E46076A3165A1, 40BE3451A3F29CD3352360FF72165C54237E44D01006390805D493B0D06F51DB ] AmdK8 C:\Windows\system32\drivers\amdk8.sys
13:53:42.0669 0x0d18 AmdK8 - ok
13:53:42.0758 0x0d18 [ 7C8ECAAD76EA1D076A450C8303D9BD98, 90904B2BE380A51BDCEDADA530214CE5321C06456E10F5985B40E3282902BEF6 ] Appinfo C:\Windows\System32\appinfo.dll
13:53:42.0864 0x0d18 Appinfo - ok

OK lets see what Avast is reporting

Download aswMBR.exe ( 4.5mb ) to your desktop.
Double click the aswMBR.exe to run it.
You may be offered the option of using virtualisation, accept that
When it offers to download the virus database allow that as well
Click the “Scan” button to start scan

https://dl.dropboxusercontent.com/u/73555776/AswMBR%20scan.JPG

On completion of the scan click save log, save it to your desktop and post in your next reply

Ok, here is the saved log…

aswMBR version 1.0.1.2290 Copyright(c) 2014 AVAST Software
Run date: 2015-10-01 15:12:07

15:12:07.239 OS Version: Windows x64 6.0.6002 Service Pack 2
15:12:07.239 Number of processors: 2 586 0x170A
15:12:07.240 ComputerName: TERI-PC UserName: Lory
15:12:43.494 Initialize success
15:12:43.599 VM: initialized successfully
15:12:43.601 VM: Intel CPU virtualization not supported
15:13:09.545 AVAST engine defs: 15100102
15:13:14.230 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-0
15:13:14.234 Disk 0 Vendor: Hitachi_HTS545032B9A300 PB3OCA0G Size: 305245MB BusType: 3
15:13:14.703 Disk 0 MBR read successfully
15:13:14.706 Disk 0 MBR scan
15:13:14.752 Disk 0 unknown MBR code
15:13:34.854 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 292665 MB offset 2048
15:13:35.050 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 12576 MB offset 599379968
15:13:35.102 Disk 0 Partition 3 00 17 Hidd HPFS/NTFS NTFS 3 MB offset 625135616
15:13:35.359 Disk 0 Partition 4 00 17 Hidd HPFS/NTFS NTFS 0 MB offset 625142432
15:13:35.722 Disk 0 scanning C:\Windows\system32\drivers
15:14:27.583 Service scanning
15:16:15.844 Modules scanning
15:16:15.858 Disk 0 trace - called modules:
15:16:15.880 ntoskrnl.exe CLASSPNP.SYS disk.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys
15:16:15.886 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0xfffffa8005d22790]
15:16:15.892 3 CLASSPNP.SYS[fffffa6000a4ac33] → nt!IofCallDriver → \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8004bc4590]
15:16:47.261 AVAST engine scan C:\Windows
15:17:30.437 AVAST engine scan C:\Windows\system32
15:36:13.708 AVAST engine scan C:\Windows\system32\drivers
15:38:04.018 AVAST engine scan C:\Users\Lory
16:25:47.885 AVAST engine scan C:\ProgramData
16:32:13.034 Disk 0 statistics 4216890/0/0 @ 0.60 MB/s
16:32:13.044 Scan finished successfully
16:38:34.910 Disk 0 MBR has been saved successfully to “C:\Users\Lory\Documents\MBR.dat”
16:38:34.915 The log file has been saved successfully to “C:\Users\Lory\Documents\aswMBR.txt”

OK could you screenshot the Avast alert that is showing this infection

Here is an attached screenshot… Thank you.

It appears that it is reporting it in an appdata folder so lets see what I can see

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

[*]Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
[*]Select additions at the bottom
[*]Press Scan button.

https://dl.dropboxusercontent.com/u/73555776/frst.JPG

[*]It will produce a log called FRST.txt in the same directory the tool is run from.
[*]Please attach both logs generated.

Here are those attachments…

OK not a false positive

Partition 3: (Not Active) - (Size=3 MB) - (Type=17)ATTENTION ===> Suspicious partition bootkit on partition 3 Partition 4: (Not Active) - (Size=8 KB) - (Type=17)ATTENTION ===> Suspicious partition bootkit on partition 4

Go to Control Panel > Administrative Tools > Computer Management > Storage > Disc Management
In the disc management layout locate partitions 3 and 4 which are 3Mb and 8Kb respectively
Now right click partition 3 and select delete
Repeat for partition 4
Let me know once you have done that and I will then remove a little adware

Not quite sure which partitions are which…
here is a screenshot attachment…

What size are the top two partitions ?

3MB and 0MB

OK right click them and select delete

Reboot and scan again with Avast

Wow, thanks it worked! After scanning with Avast again it didn’t show up as a threat! Thank you very much!

Now the minor adware removal

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: HKLM-x32\...\Run: [] => [X] GroupPolicy: Restriction - Chrome <======= ATTENTION CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION BHO: No Name -> {c8d5d964-2be8-4c5b-8cf5-6e975aa88504} -> No File BHO: No Name -> {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} -> No File BHO-x32: No Name -> {c8d5d964-2be8-4c5b-8cf5-6e975aa88504} -> No File Toolbar: HKU\S-1-5-21-1044158092-266668091-2856174117-1000 -> No Name - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File Toolbar: HKU\S-1-5-21-1044158092-266668091-2856174117-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File FF Plugin HKU\S-1-5-21-1044158092-266668091-2856174117-1000: @doubletwist.com/NPPodcast -> C:\Program Files (x86)\Common Files\doubleTwist\NPPodcast.dll No File FF HKLM-x32\...\Firefox\Extensions: [{7BA52691-1876-45ce-9EE6-54BCB3B04BBC}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn => not found FF Extension: No Name - C:\Program Files (x86)\BetterSurf\BetterSurfPlus\ff [not found] FF Extension: No Name - C:\Program Files (x86)\VideoPlayerV3\VideoPlayerV3beta818\ff [not found] FF Extension: No Name - C:\Program Files (x86)\MediaPlayerV1\MediaPlayerV1alpha1647\ff [not found] FF Extension: No Name - C:\Program Files (x86)\MediaViewerV1\MediaViewerV1alpha766\ff [not found] FF Extension: No Name - C:\Program Files (x86)\MediaViewV1\MediaViewV1alpha3562\ff [not found] FF Extension: No Name - C:\Program Files (x86)\MediaViewV1\MediaViewV1alpha3489\ff [not found] FF Extension: No Name - C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home3345\ff [not found] 2015-09-18 15:02 - 2012-07-31 13:13 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Privacy SafeGuard 2012-10-04 11:12 - 2012-10-04 11:14 - 0000160 ____H () C:\ProgramData\-75vNHvgPRKet8v 2012-10-04 11:12 - 2012-10-04 11:14 - 0000168 ____H () C:\ProgramData\-75vNHvgPRKet8vr 2012-10-04 11:12 - 2012-10-04 11:18 - 0000112 ____H () C:\ProgramData\75vNHvgPRKet8v Task: {7171A6C3-FFB4-433F-9B50-D4E40495013C} - \Optimizer Pro Schedule -> No File <==== ATTENTION Task: {737F2FBC-7021-437D-B229-97F01C4911AA} - \Desk 365 RunAsStdUser -> No File <==== ATTENTION Task: {AE032FEB-BAFA-42CC-845E-761BA2883229} - System32\Tasks\LaunchSignup => C:\Program Files (x86)\MyPC Backup\Signup Wizard.exe <==== ATTENTION Task: {CA8BD153-F5F3-4D17-AC62-87042CF5ACA3} - System32\Tasks\{CA4EA9D3-FF1D-4FA7-9467-B508870C2BBD} => pcalua.exe -a "C:\Users\Lory\Downloads\sp37913 (1).exe" -d C:\Users\Lory\Downloads Task: {D080AA7C-9729-4B2C-9C6E-2943A3EBA7A6} - \DTReg -> No File <==== ATTENTION C:\Program Files (x86)\MyPC Backup C:\Program Files (x86)\BetterSurf C:\Program Files (x86)\VideoPlayerV3 C:\Program Files (x86)\MediaPlayerV1 Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: Reg Delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F Reg: Reg Add "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S0].txt as well.

Here is the fixlog and I still have to do the next step…

Fix result of Farbar Recovery Scan Tool (x64) Version:03-10-2015
Ran by Lory (2015-10-03 08:53:21) Run:1
Running from C:\Users\Lory\Downloads\FRST-OlderVersion
Loaded Profiles: Lory (Available Profiles: Lory)
Boot Mode: Normal

fixlist content:

CreateRestorePoint:
HKLM-x32.…\Run: =>
GroupPolicy: Restriction - Chrome <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
BHO: No Name → {c8d5d964-2be8-4c5b-8cf5-6e975aa88504} → No File
BHO: No Name → {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} → No File
BHO-x32: No Name → {c8d5d964-2be8-4c5b-8cf5-6e975aa88504} → No File
Toolbar: HKU\S-1-5-21-1044158092-266668091-2856174117-1000 → No Name - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
Toolbar: HKU\S-1-5-21-1044158092-266668091-2856174117-1000 → No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
FF Plugin HKU\S-1-5-21-1044158092-266668091-2856174117-1000: @doubletwist.com/NPPodcast → C:\Program Files (x86)\Common Files\doubleTwist\NPPodcast.dll No File
FF HKLM-x32.…\Firefox\Extensions: [{7BA52691-1876-45ce-9EE6-54BCB3B04BBC}] - C:\ProgramData\Norton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn => not found
FF Extension: No Name - C:\Program Files (x86)\BetterSurf\BetterSurfPlus\ff [not found]
FF Extension: No Name - C:\Program Files (x86)\VideoPlayerV3\VideoPlayerV3beta818\ff [not found]
FF Extension: No Name - C:\Program Files (x86)\MediaPlayerV1\MediaPlayerV1alpha1647\ff [not found]
FF Extension: No Name - C:\Program Files (x86)\MediaViewerV1\MediaViewerV1alpha766\ff [not found]
FF Extension: No Name - C:\Program Files (x86)\MediaViewV1\MediaViewV1alpha3562\ff [not found]
FF Extension: No Name - C:\Program Files (x86)\MediaViewV1\MediaViewV1alpha3489\ff [not found]
FF Extension: No Name - C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home3345\ff [not found]
2015-09-18 15:02 - 2012-07-31 13:13 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Privacy SafeGuard
2012-10-04 11:12 - 2012-10-04 11:14 - 0000160 ____H () C:\ProgramData-75vNHvgPRKet8v
2012-10-04 11:12 - 2012-10-04 11:14 - 0000168 ____H () C:\ProgramData-75vNHvgPRKet8vr
2012-10-04 11:12 - 2012-10-04 11:18 - 0000112 ____H () C:\ProgramData\75vNHvgPRKet8v
Task: {7171A6C3-FFB4-433F-9B50-D4E40495013C} - \Optimizer Pro Schedule → No File <==== ATTENTION
Task: {737F2FBC-7021-437D-B229-97F01C4911AA} - \Desk 365 RunAsStdUser → No File <==== ATTENTION
Task: {AE032FEB-BAFA-42CC-845E-761BA2883229} - System32\Tasks\LaunchSignup => C:\Program Files (x86)\MyPC Backup\Signup Wizard.exe <==== ATTENTION
Task: {CA8BD153-F5F3-4D17-AC62-87042CF5ACA3} - System32\Tasks{CA4EA9D3-FF1D-4FA7-9467-B508870C2BBD} => pcalua.exe -a “C:\Users\Lory\Downloads\sp37913 (1).exe” -d C:\Users\Lory\Downloads
Task: {D080AA7C-9729-4B2C-9C6E-2943A3EBA7A6} - \DTReg → No File <==== ATTENTION
C:\Program Files (x86)\MyPC Backup
C:\Program Files (x86)\BetterSurf
C:\Program Files (x86)\VideoPlayerV3
C:\Program Files (x86)\MediaPlayerV1
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: Reg Delete “HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg” /F
Reg: Reg Add “HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg” /F
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers

This is the logfile from AdwCleaner:

AdwCleaner v5.009 - Logfile created 03/10/2015 at 09:35:35

Updated 27/09/2015 by Xplode

Database : 2015-09-30.1 [Server]

Operating system : Windows ™ Vista Home Premium Service Pack 2 (x64)

Username : Lory - TERI-PC

Running from : C:\Users\Lory\Downloads\AdwCleaner (1).exe

Option : Cleaning

Support : http://toolslib.net/forum

***** [ Services ] *****

***** [ Folders ] *****

[#] Folder Deleted : C:\Program Files\Uninstaller
[#] Folder Deleted : C:\Program Files (x86)\searchresults
[#] Folder Deleted : C:\Program Files (x86)\Zoom Downloader
[#] Folder Deleted : C:\Program Files (x86)\VideoPlayer
[#] Folder Deleted : C:\Program Files (x86)\MediaViewerV1
[#] Folder Deleted : C:\Program Files (x86)\MediaViewV1
[#] Folder Deleted : C:\Program Files (x86)\VideoPlayer
[#] Folder Deleted : C:\Program Files (x86)\Common Files\337
[#] Folder Deleted : C:\ProgramData\Ask
[#] Folder Deleted : C:\ProgramData\Babylon
[#] Folder Deleted : C:\ProgramData\Conduit
[#] Folder Deleted : C:\ProgramData\eSafe
[#] Folder Deleted : C:\ProgramData\Tarma Installer
[#] Folder Deleted : C:\ProgramData\1c5d5ec3171d4156
[#] Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Zoom Downloader
[#] Folder Deleted : C:\Users\Lory\AppData\Local\Conduit
[#] Folder Deleted : C:\Users\Lory\AppData\Local\SwvUpdater
[#] Folder Deleted : C:\Users\Lory\AppData\Local\WordLayers
[#] Folder Deleted : C:\Users\Lory\AppData\LocalLow\Conduit
[#] Folder Deleted : C:\Users\Lory\AppData\LocalLow\searchresults
[#] Folder Deleted : C:\Users\Lory\AppData\LocalLow\DownloadManager
[#] Folder Deleted : C:\Users\Lory\AppData\Roaming\Systweak

***** [ Files ] *****

[-] File Deleted : C:\Program Files (x86)\Mozilla Firefox\user.js
[-] File Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eBay.lnk
[-] File Deleted : C:\Users\Lory\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klibnahbojhkanfgaglnlalfkgpcppfi
[-] File Deleted : C:\Users\Lory\Desktop\Sync Folder.lnk

***** [ Shortcuts ] *****

***** [ Scheduled tasks ] *****

[-] Task Deleted : Adobe Flash Player Updater

***** [ Registry ] *****

[-] Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap
[-] Key Deleted : HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\DeskSvc
[-] Key Deleted : HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\WsysSvc
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility{9522B3FB-7A2B-4646-8AF6-36E7F593073C}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Record{2009AF2F-5786-3067-8799-B97F7832FDD6}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Record{425E7597-03A2-338D-B72A-0E51FFE77A7E}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Record{915BB7D5-082E-3B91-B1E0-45B5FDE01F24}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Record{FB2E65F4-5687-33EF-9BBF-4E3C9C98D3B9}
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID{4D076AB4-7562-427A-B5D2-BD96E19DEE56}
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID{761F6A83-F007-49E4-8EAC-CDB6808EF06F}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID{80922EE0-8A76-46AE-95D5-BD3C3FE0708D}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID{826D7151-8D99-434B-8540-082B8C2AE556}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID{97D69524-BB57-4185-9C7F-5F05593B771A}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID{AE07101B-46D4-4A98-AF68-0333EA26E113}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID{459DD0F7-0D55-D3DC-67BC-E6BE37E9D762}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib{11549FE4-7C5A-4C17-9FC3-56FC5162A994}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib{E69D4A59-73DE-4E38-9FB3-740EC4D9060D}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
[!] Key Not Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID{826D7151-8D99-434B-8540-082B8C2AE556}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID{AE07101B-46D4-4A98-AF68-0333EA26E113}
[!] Key Not Deleted : [x64] HKLM\SOFTWARE\Classes\Interface{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
[!] Key Not Deleted : [x64] HKLM\SOFTWARE\Classes\Interface{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}
[-] Key Deleted : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
[-] Key Deleted : HKCU\Software\Conduit
[-] Key Deleted : HKCU\Software\searchresults
[-] Key Deleted : HKCU\Software\UpdateFiles
[-] Key Deleted : HKCU\Software\StormWatch
[-] Key Deleted : HKCU\Software\VideoPlayer
[-] Key Deleted : HKCU\Software\AppDataLow\Toolbar
[-] Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
[-] Key Deleted : HKLM\SOFTWARE{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
[-] Key Deleted : HKLM\SOFTWARE\Babylon
[-] Key Deleted : HKLM\SOFTWARE\BetterSurf
[-] Key Deleted : HKLM\SOFTWARE\Conduit
[-] Key Deleted : HKLM\SOFTWARE\Desksvc
[-] Key Deleted : HKLM\SOFTWARE\hdcode
[-] Key Deleted : HKLM\SOFTWARE\systweak
[-] Key Deleted : HKLM\SOFTWARE\Video Player
[-] Key Deleted : HKLM\SOFTWARE\VideoPlayerV3
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\searchresults
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache{99C91FC5-DB5B-4AA0-BB70-5D89C5A4DF96}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\MyPC Backup
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\searchresults
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\VOPackage
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\couponarific
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Video Player
[!] Key Not Deleted : [x64] HKCU\Software\Conduit
[!] Key Not Deleted : [x64] HKCU\Software\searchresults
[!] Key Not Deleted : [x64] HKCU\Software\UpdateFiles
[!] Key Not Deleted : [x64] HKCU\Software\StormWatch
[!] Key Not Deleted : [x64] HKCU\Software\VideoPlayer
[-] Key Deleted : [x64] HKLM\SOFTWARE\Tarma Installer
[!] Key Not Deleted : HKU\S-1-5-21-1044158092-266668091-2856174117-1000\Software\AppDataLow\Software\Conduit
[-] Key Deleted : HKLM\SOFTWARE\Classes\Installer\Products\A28B4D68DEBAA244EB686953B7074FEF
[-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\3152E1F19977892449DC968802CE8964
[-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\649A52D257CA5DB4EAAE8BA9EB23E467
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes{800B35F9-A77F-4C65-BAD5-1D7309DD8780}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes{800B35F9-A77F-4C65-BAD5-1D7309DD8780}

***** [ Web browsers ] *****

[-] [C:\Users\Lory\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : aol.com
[-] [C:\Users\Lory\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : ask.com
[-] [C:\Users\Lory\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : conduit.search
[-] [C:\Users\Lory\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Deleted : hfjgekpddapedobkjbmeefnjofabigbi

:: Winsock settings cleared

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [7820 bytes] ##########